I recently worked on a case where one node of a Galera cluster had its schema desynchronized with the other nodes. And that was although Total Order Isolation method was in effect to perform the schema changes. Let’s see what happened.

Background

For those of you who are not familiar with how Galera can perform schema changes, here is a short recap:

Two methods are available depending on the value of the wsrep_OSU_method setting. Both have benefits and drawbacks, it is not the main topic of this post.

With TOI (Total Order Isolation), a DDL statement is performed at the same point in the replication flow on all nodes, giving strong guarantees that the schema is always identical on all nodes.

With RSU (Rolling Schema Upgrade), a DDL statement is not replicated to the other nodes. Until the DDL statement has been executed on all nodes, the schema is not consistent everywhere (so you should be careful not to break replication).

If you read carefully the section on TOI, you will see that “[…] TOI transactions will never fail certification and are guaranteed to be executed.” But also that “The system replicates the TOI query before execution and there is no way to know whether it succeeds or fails. Thus, error checking on TOI queries is switched off.”

Confusing? Not really. It simply means that with TOI, a DDL statement will always pass certification. But if for some reason, the DDL statement fails on one of the nodes, it will not be rolled back on the other nodes. This opens the door for schema inconsistencies between nodes.

Conclusion

As on regular MySQL, schema changes are challenging with Galera. Some subtleties can create a lot of troubles if you are not aware of them. So before running DDL statement, make sure you fully understand how TOI and RSU methods work.

Related

Author

Stéphane joined Percona in July 2012, after working as a MySQL DBA for leading French companies such as Dailymotion and France Telecom.
In real life, he lives in Paris with his wife and their twin daughters. When not in front of a computer or not spending time with his family, he likes playing chess and hiking.

I don’t understand. You said “Galera cluster had its schema desynchronized with the other nodes. And that was although Total Order Isolation method was in effect”. But in your example, you disable TOI. So which one is it? Does TOI guarantee consistency or not?

@burn: right, this is confusing… TOI guarantees that a DDL is executed on all nodes at the same point in time. However Galera cannot check whether the DDL ran successfully on all nodes.

So if for instance, you first desynchronize the schema under RSU (which is allowed and expected), forget about the change and then change the schema of the same table under TOI, the 2nd DDL may not be executed correctly on all nodes.

Then you might think that TOI was not able to change the schema properly, while the real issue is somewhere else (schema change under RSU was not performed on all nodes).

@Stephane: When this happened, was the failed node able to come back up and get the old schema via an SST? I replicated this on a Galera cluster and noticed that the failing node deleted the DB and the table, but the other node kept the DB (even after an SST happened).